[poppler] 2 commits - poppler/GfxState.cc

Fri, 08 Jan 2021 10:51:42 -0800 

 poppler/GfxState.cc |   19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

New commits:
commit a8fdb464e8c1ccc920c064324d7289fa05c1cf1d
Author: Albert Astals Cid <aa...@kde.org>
Date:   Fri Jan 8 16:27:50 2021 +0100

    Also protect against malformed GfxPatchMeshShading
    
    oss-fuzz/11197

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 34c9e6da..e42585ed 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4900,6 +4900,15 @@ GfxPatchMeshShading 
*GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
         }
     }
 
+    for (unsigned int k = 0; k < funcsA.size(); ++k) {
+        if (funcsA[k]->getInputSize() > 1) {
+            return nullptr;
+        }
+        if (funcsA[k]->getOutputSize() > static_cast<int>(gfxColorMaxComps - 
k)) {
+            return nullptr;
+        }
+    }
+
     nPatchesA = 0;
     patchesA = nullptr;
     patchesSize = 0;
commit f1b21278330a1a1f275f224a2ffd56dff45c5b4c
Author: Albert Astals Cid <aa...@kde.org>
Date:   Fri Jan 8 16:12:28 2021 +0100

    GfxDeviceNColorSpace: Shift the validity check to the constructor

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index fc411404..34c9e6da 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -2903,7 +2903,10 @@ GfxColorSpace *GfxDeviceNColorSpace::parse(GfxResources 
*res, Array *arr, Output
             }
         }
     }
-    return new GfxDeviceNColorSpace(nCompsA, std::move(namesA), altA, funcA, 
separationList);
+
+    if (likely(nCompsA >= funcA->getInputSize() && altA->getNComps() <= 
funcA->getOutputSize())) {
+        return new GfxDeviceNColorSpace(nCompsA, std::move(namesA), altA, 
funcA, separationList);
+    }
 
 err5:
     delete funcA;
@@ -2932,11 +2935,6 @@ void GfxDeviceNColorSpace::getGray(const GfxColor 
*color, GfxGray *gray) const
 
 void GfxDeviceNColorSpace::getRGB(const GfxColor *color, GfxRGB *rgb) const
 {
-    if (unlikely(nComps < func->getInputSize() || alt->getNComps() > 
func->getOutputSize())) {
-        rgb->r = rgb->g = rgb->b = 0;
-        return;
-    }
-
     double x[gfxColorMaxComps], c[gfxColorMaxComps];
     GfxColor color2;
     int i;
_______________________________________________
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler

Reply via email to